Apple fixes critical crypto bug in iOS, OS X fix to be released "soon"
Posted on 24 February 2014.
On Friday, Apple announced the release a software update for its iOS mobile operating system that addresses a critical encryption flaw. A similar update has also been released for Apple TV.


Apparently, there were a few missing validation steps that made the SSL implementation vulnerable and would allow an attacker with a privileged network position to intercept and/or modify data in sessions protected by SSL/TLS - in effect, to mount a Man-in-the-Middle attack.

iPhone and iPad users are advised to update to versions 7.0.6 or 6.16 of the OS as soon as possible, and OS X users are urged to avoid using public networks until the same fix is released for the OS.

According to various sources, Apple's Safari browser and default Mail.app are both vulnerable, but Firefox and Chrome are not affected, so Mac users could temporarily switch to using those.

Apple has promised to release the OS X fix "soon."

Researchers who have tested earlier versions of both iOS and OS X have concluded that the bug was present for months.

Google security researcher Adam Langley has explained how the flaw works and where the mistake happened in the source code.

The simplicity of the flaw and the fact that it could allow anyone - and especially intelligence agencies - to exploit it for spying on users gave rise to speculation that it's existence could have been intentional. The other alternative is that Apple has a poor code review process in place.

The issue also made people criticize Apple's preference for proprietary closed source. They argued that such a glaring mistake could have been spotted ages ago if more security researchers had the possibility to review the code.









Spotlight

Whitepaper: Zero Trust approach to network security

Posted on 20 November 2014.  |  Zero Trust is an alternative security model that addresses the shortcomings of failing perimeter-centric strategies by removing the assumption of trust.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Nov 21st
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //